Sign up for our newsletter
Technology / Cybersecurity

Heartbleed: Why changing your password is the worst advice EVER

Following the massive Heartbleed computer vulnerability that was discovered this week, websites susceptible to the bug have advised users to change their passwords to keep secure.

Tumblr, a blogging platform owned by Yahoo, told its users: "This might be a good day to call in sick and take some time to change your passwords everywhere- especially your high-security services like email, file storage, and banking, which may have been compromised by this bug."

Graham Cluley, a British IT security expert, said on his website that this is "awful advice."

White papers from our partners

He went on to advise that you "should only change your password in response to the Heartbleed bug after a website or internet company has 1. Checked to see if it is vulnerable, 2. Patched its systems, 3. Grabbed a new SSL certificate (having revoked their previous one), and 4. Told you it is fixed."

The argument is that if users change their passwords before a website is deemed safe, users’ details may be made even more vulnerable by opportunistic attackers that are taking advantage of Heartbleed.

A cyber security chief at the Institution of Engineering and Technology, Hugh Boyes, also said: "Changing the password before the bug is fixed could compromise your new password."

Microsoft software architect Troy Hunt also advised on his Twitter account that the popular method of checking whether a website is Heartbleed-vulnerable,, is not at all trustworthy.

Hunt said: "Let me make this graphically explicit: top test run 1st, bottom one 5 secs later. Don’t rely on []."


When websites are eventually safe, it is a good idea to follow our tips here for a how-to on making secure passwords. Making them long and complex, not reusing the same passwords, regularly changing passwords, and two-factor authentication are all reliable methods of making stronger passwords.
This article is from the CBROnline archive: some formatting and images may not be present.